Nikos Mavrogiannopoulos <[EMAIL PROTECTED]> writes: > This cannot be solved. This certificate uses MD2 which is not included in > libgcrypt as yet. I don't know if there are plans to include it in the future > though.
We could add a MD2 implementation to gnulib, to make GnuTLS support this when MD2 is not available through libgcrypt. I'm working on this now. However, I am skeptical about supporting MD2, and even MD5, by default. I know GnuTLS certtool print a warning about MD5, but the library does not, and most GnuTLS library users probably doesn't either. I think we should disable both MD2 and MD5, and introduce an API to modify gnutls_certificate_verify_peers2, a'la gnutls_enable_insecure_algorithm (&session, GNUTLS_SIGN_RSA_MD2) and a new gnutls_certificate_verify_flags enumeration type, for gnutls_x509_crt_verify calls, e.g.: GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 All this for applications/users that want to sacrifice security for interoperability. What do you think? Cheers, Simon _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
